This file is indexed.

/usr/share/doc/ganeti/html/cluster-keys-replacement.html is in ganeti-doc 2.16.0~rc2-1build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Cluster Keys Replacement &#8212; Ganeti 2.16.0~rc2 documentation</title>
    <link rel="stylesheet" href="_static/style.css" type="text/css" />
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    './',
        VERSION:     '2.16.0~rc2',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true,
        SOURCELINK_SUFFIX: '.txt'
      };
    </script>
    <script type="text/javascript" src="_static/jquery.js"></script>
    <script type="text/javascript" src="_static/underscore.js"></script>
    <script type="text/javascript" src="_static/doctools.js"></script>
    <link rel="search" title="Search" href="search.html" />
    <link rel="next" title="Improving allocation efficiency by considering the total reserved memory" href="design-allocation-efficiency.html" />
    <link rel="prev" title="Merging clusters" href="cluster-merge.html" /> 
  </head>
  <body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="design-allocation-efficiency.html" title="Improving allocation efficiency by considering the total reserved memory"
             accesskey="N">next</a></li>
        <li class="right" >
          <a href="cluster-merge.html" title="Merging clusters"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> &#187;</li> 
      </ul>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="cluster-keys-replacement">
<h1>Cluster Keys Replacement<a class="headerlink" href="#cluster-keys-replacement" title="Permalink to this headline"></a></h1>
<p>Ganeti uses both SSL and SSH keys, and actively modifies the SSH keys
on the nodes.  As result, in order to replace these keys, a few extra
steps need to be followed.</p>
<p>For an example when this could be needed, see the thread at
<a class="reference external" href="http://groups.google.com/group/ganeti/browse_thread/thread/30cc95102dc2123e">Regenerating SSL and SSH keys after the security bug in Debian’s
OpenSSL</a>.</p>
<p>Ganeti uses OpenSSL for encryption on the RPC layer and SSH for
executing commands. The SSL certificate is automatically generated
when the cluster is initialized and it’s copied to added nodes
automatically together with the master’s SSH host key.</p>
<p>Note that paths below may vary depending on your distribution. In
general, modifications should be done on the master node and then
distributed to all nodes of a cluster (possibly using a pendrive - but
don’t forget to use “shred” to remove files securely afterwards).</p>
<div class="section" id="replacing-ssl-keys">
<h2>Replacing SSL keys<a class="headerlink" href="#replacing-ssl-keys" title="Permalink to this headline"></a></h2>
<p>The cluster-wide SSL key is stored in <code class="docutils literal"><span class="pre">/var/lib/ganeti/server.pem</span></code>.
Besides that, since Ganeti 2.11, each node has an individual node
SSL key, which is stored in <code class="docutils literal"><span class="pre">/var/lib/ganeti/client.pem</span></code>. This
client certificate is signed by the cluster-wide SSL certificate.</p>
<p>To renew the individual node certificates, run this command:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">renew</span><span class="o">-</span><span class="n">crypto</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">node</span><span class="o">-</span><span class="n">certificates</span>
</pre></div>
</div>
<p>Run the following command to generate a new cluster-wide certificate:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">renew</span><span class="o">-</span><span class="n">crypto</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">cluster</span><span class="o">-</span><span class="n">certificate</span>
</pre></div>
</div>
<p>Note that this triggers both, the renewal of the cluster certificate
as well as the renewal of the individual node certificate. The reason
for this is that the node certificates are signed by the cluster
certificate and thus they need to be renewed and signed as soon as
the changes certificate changes. Therefore, the command above is
equivalent to:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">renew</span><span class="o">-</span><span class="n">crypto</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">cluster</span><span class="o">-</span><span class="n">certificate</span> <span class="o">--</span><span class="n">new</span><span class="o">-</span><span class="n">node</span><span class="o">-</span><span class="n">certificates</span>
</pre></div>
</div>
<p>On older versions, which don’t have this command, use this instead:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">chmod</span> <span class="mi">0600</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> <span class="o">&amp;&amp;</span>
<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="n">new</span> <span class="o">-</span><span class="n">newkey</span> <span class="n">rsa</span><span class="p">:</span><span class="mi">1024</span> <span class="o">-</span><span class="n">days</span> <span class="mi">1825</span> <span class="o">-</span><span class="n">nodes</span> \
 <span class="o">-</span><span class="n">x509</span> <span class="o">-</span><span class="n">keyout</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> \
 <span class="o">-</span><span class="n">out</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">batch</span> <span class="o">&amp;&amp;</span>
<span class="n">chmod</span> <span class="mi">0400</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span> <span class="o">&amp;&amp;</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ganeti</span> <span class="n">restart</span>

<span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">copyfile</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ganeti</span><span class="o">/</span><span class="n">server</span><span class="o">.</span><span class="n">pem</span>

<span class="n">gnt</span><span class="o">-</span><span class="n">cluster</span> <span class="n">command</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ganeti</span> <span class="n">restart</span>
</pre></div>
</div>
<p>Note that older versions don’t have individual node certificates and thus
one does not have to handle the creation and distribution of them.</p>
</div>
<div class="section" id="replacing-ssh-keys">
<h2>Replacing SSH keys<a class="headerlink" href="#replacing-ssh-keys" title="Permalink to this headline"></a></h2>
<p>There are two sets of SSH keys in the cluster: the host keys (both DSA
and RSA, though Ganeti only uses the RSA one) and the root’s DSA key
(Ganeti uses DSA for historically reasons, in the future RSA will be
used).</p>
<div class="section" id="host-keys">
<h3>host keys<a class="headerlink" href="#host-keys" title="Permalink to this headline"></a></h3>
<p>These are the files named <code class="docutils literal"><span class="pre">/etc/ssh/ssh_host_*</span></code>. You need to
manually recreate them; it’s possibly that the startup script of
OpenSSH will generate them if they don’t exist, or that the package
system regenerates them.</p>
<p>Also make sure to copy the master’s SSH host keys to all other nodes.</p>
</div>
<div class="section" id="cluster-public-key-file">
<h3>cluster public key file<a class="headerlink" href="#cluster-public-key-file" title="Permalink to this headline"></a></h3>
<p>The new public rsa host key created in the previous step must be added
in two places:</p>
<ol class="arabic simple">
<li>known hosts file, <code class="docutils literal"><span class="pre">/var/lib/ganeti/known_hosts</span></code></li>
<li>cluster configuration file, <code class="docutils literal"><span class="pre">/var/lib/ganeti/config.data</span></code></li>
</ol>
<p>Edit these two files and update them with newly generated SSH host key
(in the previous step, take it from the
<code class="docutils literal"><span class="pre">/etc/ssh/ssh_host_rsa_key.pub</span></code>).</p>
<p>For the <code class="docutils literal"><span class="pre">config.data</span></code> file, please look for an entry named
<code class="docutils literal"><span class="pre">rsahostkeypub</span></code> and replace the value for it with the contents of
the <code class="docutils literal"><span class="pre">.pub</span></code> file. For the <code class="docutils literal"><span class="pre">known_hosts</span></code> file, you need to replace
the old key with the new one on each line (for each host).</p>
</div>
<div class="section" id="root-s-key">
<h3>root’s key<a class="headerlink" href="#root-s-key" title="Permalink to this headline"></a></h3>
<p>These are the files named <code class="docutils literal"><span class="pre">~root/.ssh/id_dsa*</span></code>.</p>
<p>Run this command to rebuild them:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ssh</span><span class="o">-</span><span class="n">keygen</span> <span class="o">-</span><span class="n">t</span> <span class="n">dsa</span> <span class="o">-</span><span class="n">f</span> <span class="o">~</span><span class="n">root</span><span class="o">/.</span><span class="n">ssh</span><span class="o">/</span><span class="n">id_dsa</span> <span class="o">-</span><span class="n">q</span> <span class="o">-</span><span class="n">N</span> <span class="s2">&quot;&quot;</span>
</pre></div>
</div>
</div>
<div class="section" id="root-s-authorized-keys">
<h3>root’s <code class="docutils literal"><span class="pre">authorized_keys</span></code><a class="headerlink" href="#root-s-authorized-keys" title="Permalink to this headline"></a></h3>
<p>This is the file named <code class="docutils literal"><span class="pre">~root/.ssh/authorized_keys</span></code>.</p>
<p>Edit file and update it with the newly generated root key, from the
<code class="docutils literal"><span class="pre">id_dsa.pub</span></code> file generated in the previous step.</p>
</div>
</div>
<div class="section" id="finish">
<h2>Finish<a class="headerlink" href="#finish" title="Permalink to this headline"></a></h2>
<p>In the end, the files mentioned above should be identical for all
nodes in a cluster. Also do not forget to run <code class="docutils literal"><span class="pre">gnt-cluster</span> <span class="pre">verify</span></code>.</p>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Cluster Keys Replacement</a><ul>
<li><a class="reference internal" href="#replacing-ssl-keys">Replacing SSL keys</a></li>
<li><a class="reference internal" href="#replacing-ssh-keys">Replacing SSH keys</a><ul>
<li><a class="reference internal" href="#host-keys">host keys</a></li>
<li><a class="reference internal" href="#cluster-public-key-file">cluster public key file</a></li>
<li><a class="reference internal" href="#root-s-key">root’s key</a></li>
<li><a class="reference internal" href="#root-s-authorized-keys">root’s <code class="docutils literal"><span class="pre">authorized_keys</span></code></a></li>
</ul>
</li>
<li><a class="reference internal" href="#finish">Finish</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="cluster-merge.html"
                        title="previous chapter">Merging clusters</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="design-allocation-efficiency.html"
                        title="next chapter">Improving allocation efficiency by considering the total reserved memory</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="_sources/cluster-keys-replacement.rst.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="design-allocation-efficiency.html" title="Improving allocation efficiency by considering the total reserved memory"
             >next</a></li>
        <li class="right" >
          <a href="cluster-merge.html" title="Merging clusters"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">Ganeti 2.16.0~rc2 documentation</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2018, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Google Inc..
      Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.6.7.
    </div>
  </body>
</html>